US10419466B2ActiveUtilityA1

Cyber security using a model of normal behavior for a group of entities

89
Assignee: DARKTRACE LTDPriority: Feb 9, 2016Filed: Feb 6, 2017Granted: Sep 17, 2019
Est. expiryFeb 9, 2036(~9.6 yrs left)· nominal 20-yr term from priority
H04L 63/104G06F 21/55G06N 5/022G06N 7/01H04L 63/1425G06F 21/566G06F 21/552H04L 63/20G06N 7/005
89
PatentIndex Score
45
Cited by
48
References
16
Claims

Abstract

Disclosed herein is a method for use in detection of abnormal behavior of a group of a plurality of entities of a computer system. The method is arranged to be performed by a processing system and comprises: creating a model of normal behavior of the group of entities; and determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities. Also disclosed is an equivalent computer readable medium and anomalous behavior detection system.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A method for use in detection of abnormal behavior, the method arranged to be performed by a processing system for a cyber security system, the method comprising:
 creating a model of normal behavior of a group of entities from a plurality of entities of a computer system, wherein the model of normal behavior of the group of entities is based on a Bayesian model that uses at least conditional probability terms, wherein within the Bayesian model, groups, G, are dependent on time, T; devices, Y, are dependent on groups, G, and time, T; activities, A, are dependent on devices, D, groups, G, and time, T; and network traffic data N is dependent on activities, A, devices, D, groups, G, and time, T; and 
 determining, in accordance with the model of normal behavior of the group of entities, a parameter indicative of abnormal behavior of the group of entities, where the method for the detection of abnormal behavior of the group of entities for the computer system uses at least the determined parameter indicative of abnormal behavior of the group of entities to detect abnormal behavior. 
 
     
     
       2. The method of  claim 1 , wherein the group of entities is formed by grouping the plurality of entities of the computer system. 
     
     
       3. The method of  claim 2 , wherein the grouping of the plurality of entities of the computer system to generate the group of entities is based on data associated with the plurality of entities of the computer system. 
     
     
       4. The method of  claim 2 , wherein the grouping of the plurality of entities of the computer system to generate the group of entities is performed by spectral partitioning. 
     
     
       5. The method of  claim 2 , wherein the grouping of the plurality of entities of the computer system to generate the group of entities is based on prior knowledge of the plurality of entities of the computer system. 
     
     
       6. The method of  claim 1 , wherein the model of normal behavior of the group of entities is based on metrics representative of data associated with the plurality of entities of the computer system. 
     
     
       7. The method of  claim 1 , wherein the Bayesian model comprises the group of entities and one or more elements including a time characteristic associated with the group of entities and/or one or more entities of the group of entities, a device associated with a first entity of the group, an activity associated with a second entity of the group and network traffic data associated with a third entity of the group of entities. 
     
     
       8. The method of  claim 1 , wherein the Bayesian model uses at least one or more of the conditional probability terms:
 P(G/T); 
 P(Y/G,T); 
 P(A/Y,G,T); and 
 P(N/A,Y,G,T). 
 
     
     
       9. The method of  claim 8 , wherein the conditional probability terms are updated with an interpolation term with an interpolation weight w, wherein:
     P ( U/T )→ wP ( U/T )+(1− w ) P ( G/T )
 
     P ( D/U,T )→ wP ( D/U,T )+(1− w ) P ( Y/G,T )
 
     P ( A/D,U,T )→ wP ( A/D,U,T )+(1− w ) P ( A/Y,G,T )
 
     P ( N/A,D,U,T )→ wP ( N/A,D,U,T )+(1− w ) P ( N/A,Y,G,T ).
 
 
     
     
       10. The method of  claim 1 , wherein the conditional probability terms are updated with an interpolation term with an interpolation weight w. 
     
     
       11. The method of  claim 10 , wherein the interpolation weight w is determined based on an amount of data available for modeling a particular user. 
     
     
       12. The method of  claim 1 , wherein the parameter is a probability. 
     
     
       13. The method of  claim 1 , further comprising determining, in accordance with the parameter indicative of abnormal behavior of the group of the computer system, a new parameter indicative of a cyber-threat. 
     
     
       14. The method of  claim 1 , wherein the plurality of entities of the computer system comprises one of a device, a user or an activity. 
     
     
       15. A computer readable non-transitory medium comprising computer readable code that when in use, instructs a computer in the computer system to perform the method of  claim 1 . 
     
     
       16. An anomalous behavior detection system comprising a processor, and a non-transitory memory comprising computer readable code, that when in use, instructs the processing system to perform the method of  claim 1 .

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.